The California Consumer Privacy Act (CCPA) of 2018 came into effect January 1, 2020. What does that mean for you?
The European Union’s General Data Privacy Regulation (GDPR) came into effect May 25, 2018. California had already put CalOPPA – the California Online Privacy Protection Act of 2003 – into effect years earlier. CalOPPA focuses on consumer data protection through clear website privacy policies about how websites handle personal identifiable information.
Now California is doubling down on consumer privacy with the California Consumer Privacy Act (CCPA), which took effect January 1, 2020. In some ways, the CCPA goes further than CalOPPA because it requires companies to inform consumers about personal data they collect and share, and gives users a right to access their information, request its deletion, and opt-out of communications or sharing the information. However, CalOPPA has a broader scope than the CCPA, because CalOPPA applies to all websites a California resident may visit, where CCPA applies only to larger companies, as you will see below.
The CCPA, much like the European GDPR, is concerned with privacy rights. In this case, instead of protecting Europeans, it protects residents of California.
The California Consumer Privacy Act (CCPA) applies to business that make at least $25 million in annual revenue, hold the data of more than 50,000 users or devices, or earn more than 50% of their revenue from selling data.
It does not apply to companies under HIPPA, banks or financial companies, or credit report agencies.
Given the parameters noted above, CCPA may well not apply to your business or organization. However, as with GDPR, we recommend you show good faith to your visitors and clients by being transparent with your use of their data, and keeping their privacy and security at the forefront of your mind and your methods.
We recommend you:
- Do not collect any unnecessary data
- Inventory the data you do collect, and where it is stored
- Know what third parties, if any, you are sharing data with, and how they are protecting it
- Audit your data on an annual basis, and do not retain data you no longer need
- Ensure you use secure methods and locations to store the data
- Keep your organization’s computers secure, starting with firewalls and regular virus scans
- Ensure your website remains secure
- Have users opt in to newsletters, rather than opting out
- Consider having a data protection audit performed by a specialist
If you need further assistance with thinking through your visitors’ and customers’ privacy, get in touch and we’ll be happy to help.